Nico Williams | 14 Aug 03:49 2011

Generalizing krb5_ticket_get_authorization_data_type()?

I notice that there is a very nice function called find_type_in_ad(),
that I'd like to use elsewhere, and which could be used to simplify
some code (e.g., rd_req.c:find_etype_list()).  But... a) it's a
static, b) it doesn't have a way to indicate whether the AD found is
critical or not (i.e., in an AD-IF-RELEVANT).

(krb5_ticket_get_authorization_data_type() has the same problem (b),
and also it only works on Tickets, but I need one that works on
Authenticators too.)

Any objections to a krb5_get_authorization_data_type() that takes...
what exactly?  krb5_auth_context doesn't store the Ticket...  can I
fix that too?  I imagine that we eventually want to free the Ticket,
to lower memory footprint, so maybe not?  Well, I don't need a very
general get-authz-data function yet, so I could just settle for
krb5_get_authenticator_authz_data_type().  Or if you know when it'd be
appropriate to release the Ticket, if we saved it in the auth context,
then I could code that.



Harald Barth | 10 Aug 14:47 2011

Re: Heimdal in Lion

FYI: Apple has closed ticket numer 8813134 which is the "original"
Bug-ID, the one the ssh bug was marked a duplicate of. As someone else
is the submitter of 8813134, it is not revealed if "closed" means "an
update will be shipped" or "we don't give a s***". To my knowledge
there has not been shipped any update yet, so for the users the bug is
still unsolved (open).


Jelmer Vernooij | 4 Aug 03:03 2011

[PATCH] Remove more krb4 references from automake files.

From: Jelmer Vernooij <jelmer <at>>

 appl/afsutil/    |    3 --
 appl/ftp/common/ |    4 +--
 appl/ftp/ftpd/   |    4 +--
 appl/rcp/        |    2 -
 appl/su/         |    2 +-
 cf/crypto.m4                |   52 -------------------------------------------
 kcm/             |    3 +-
 kdc/             |    9 +++----
 lib/gssapi/      |    3 +-
 lib/krb5/        |    2 +-
 lib/libedit/aclocal.m4      |   32 +++++++++++++++++++++-----
 lib/libedit/       |   40 +++++++++++++++++++--------------
 12 files changed, 59 insertions(+), 97 deletions(-)

diff --git a/appl/afsutil/ b/appl/afsutil/
index c0ca0d5..705bdf1 100644
--- a/appl/afsutil/
+++ b/appl/afsutil/
 <at>  <at>  -2,8 +2,6  <at>  <at> 

 include $(top_srcdir)/

 bin_PROGRAMS = afslog pagsh

 afslog_SOURCES = afslog.c
(Continue reading)

Harald Barth | 3 Aug 18:30 2011

iprop: Propagating a single create message _again_

As one of my KDC slaves has missed an iprop principal create message I
want to trigger the resending of this iprop message. The iprop log
file on the slaves does _not_ contain the create message, so a log
replay does not help. Modifying the principal does not help as the
modify message does not seem to contain enough to create the principal
on the slave.

If replaying a single old create is not possible, can I force a replay
of _everything_ from the master to the slave? Is there a save way to
do this, preferably with short or no interruption to the KDC itself?


Ethan Tira-Thompson | 30 Jul 00:21 2011

encryption type configuration

Hi, I’ve recently updated to Heimdal 1.4.1apple1 (i.e. Mac OS X Lion), and whenever I try to use kinit I get:
	$ kinit
	kinit: krb5_get_init_creds: KDC has no support for encryption type

My /Library/Preferences/ contains:
allow_weak_crypto = true
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc

among other settings
( - I
added the allow_weak_crypto)

The weird thing is if I explicitly specify des-cbc-crc on the command line it works fine:
	kinit -e des-cbc-crc #works fine

So why is it only working when I specify encryption type on the command line, and not already reading this
from the config file (it’s getting my default_realm and other server settings from the file, so I know
it's reading it…?)


Andreas Haupt | 26 Jul 11:35 2011

PKINIT with Ubuntu 11.04


does anyone know how to get PKINIT with globus proxy certificates
working with Heimdal 1.4.99 (packaged with Ubuntu 11.04)? With a
self-compiled 1.2.1 it works on that system:

[znpnb195] ~ % /tmp/heimdal/bin/kinit --version
kinit (Heimdal 1.2.1)
Copyright 1995-2008 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs <at>
[znpnb195] ~ % /tmp/heimdal/bin/kinit -C FILE:$X509_USER_PROXY -D DIR:$X509_CERT_DIR ahaupt <at> NAF.DESY.DE
[znpnb195] ~ % klist
Credentials cache: FILE:/tmp/tmp.mjlFZuGILM
        Principal: ahaupt <at> NAF.DESY.DE

  Issued           Expires          Principal
Jul 26 11:30:50  Jul 27 12:30:50  krbtgt/NAF.DESY.DE <at> NAF.DESY.DE

With the packaged version I get this error:

[znpnb195] ~ % kinit --version
kinit (Heimdal 1.4.99)
Copyright 1995-2010 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs <at>
[znpnb195] ~ % kinit -C FILE:$X509_USER_PROXY -D DIR:$X509_CERT_DIR ahaupt <at> NAF.DESY.DE
kinit: krb5_get_init_creds: Create CMS signedData: RSA private encrypt failed: 569888

Anything that needs to be done additionally now? The client seems to get
stuck already at the initialization - it doesn't even contact the KDC.

(Continue reading)

Stefan (metze) Metzmacher | 26 Jul 02:18 2011

Some more patches from lorikeet-heimdal

Hi Love,

what do you think about this patches.

From f9913570f0c424015c4270ace1c4f6a47a3f361f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at>>
Date: Sun, 24 Jul 2011 20:55:36 +0200
Subject: [PATCH 1/5] kdc: only pass HDB_F_CANON if the client specified b->kdc_options.canonicalize

 kdc/krb5tgs.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index b0d5455..85b0be0 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
 <at>  <at>  -1508,6 +1508,7  <at>  <at>  tgs_build_reply(krb5_context context,

     Key *tkey_check;
     Key *tkey_sign;
+    int flags = 0;

     memset(&sessionkey, 0, sizeof(sessionkey));
     memset(&adtkt, 0, sizeof(adtkt));
 <at>  <at>  -1517,6 +1518,9  <at>  <at>  tgs_build_reply(krb5_context context,
(Continue reading)

Harald Barth | 25 Jul 15:06 2011

Re: Heimdal in Lion

The broken ssh in Lion has been assigned Bug ID# 9743343 (amongst
other duplicates). If there is anyone with information on progress on
this, I would be pleased to know. Otherwise I have to prepare a
workaround (in effect shipping a replacement ssh to these users which
want to use our services from OSX Lion), make the support web pages
etc etc. All resulting in more "Kerberos does not work, why are you
using that s***" talk which I really don't need.


PS: Since release (5 days) we have 2 uses which have fallen for the
"over 250 new features of OSX Lion" and no longer can log in to our

doug quaid | 25 Jul 09:38 2011

Disable password change for users via kadmind.acl or other

Is it possible to prevent all users from changing their password via kadmin? I am using Heimdal1.2 As far
as I can tell there is no way to do so. I run kadmin as a user,  the 'privileges' command says "none" and 'get'
fails, but I am able to issue the 'passwd' command.I have tried adding joe   get joe to kadmind.acl
with the expectation that joe would only have 'get' privileges but this still does not prevent joe from
changing joe's password.
Is there another way ? 

Stefan (metze) Metzmacher | 24 Jul 17:37 2011

lib/krb5: Allow any kvno to match when searching the keytab.

Hi Love,

is this patch acceptable for you?

Stefan (metze) Metzmacher | 24 Jul 17:34 2011

kdc: fix comparision between krb5int32 (int) and unsigned int

Hi Love,

I noticed a regression with this comit:

commit f5f9014c90cdf795867ad336803caf802bac7fed
Author: Love Hornquist Astrand <lha <at>>
Date:   Fri Apr 29 20:25:05 2011 -0700

    Warning fixes from Christos Zoulas

    - shadowed variables
    - signed/unsigned confusion
    - const lossage
    - incomplete structure initializations
    - unused code
 kdc/krb5tgs.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

Casting (int) to (size_t) is wrong.